CVEbaza.plCWE DictionaryCWE-326
Common Weakness Enumeration

CWE-326

Inadequate Encryption Strength

Category: ClassCVE: 520
Description

The product stores or transmits sensitive data using an encryption scheme that is theoretically sound, but is not strong enough for the level of protection required.

Extended Description

A weak encryption scheme can be subjected to brute force attacks that have a reasonable chance of succeeding using current attack methods and resources.

CVE vulnerabilities with CWE-326 (520)
10.0
CVSS
CRITICAL
CVE-2026-44523

Note Mark is an open-source note-taking application. Prior to 0.19.4, no minimum length or entropy is enforced on the JWT_SECRET configuration value. The application accepts any base64-decodable secret regardless of size, including secrets as short as 1 byte. This vulnerability is fixed in 0.19.4.

pub. 2026-05-14
10.0
CVSS
CRITICAL
CVE-2025-12478

Non-Compliant TLS Configuration.This issue affects BLU-IC2: through 1.19.5; BLU-IC4: through 1.19.5 .

pub. 2025-10-29
10.0
CVSS
CRITICAL
CVE-2020-6966

In ApexPro Telemetry Server Versions 4.2 and prior, CARESCAPE Telemetry Server v4.2 & prior, Clinical Information Center (CIC) Versions 4.X and 5.X, CARESCAPE Central Station (CSCS) Versions 1.X, the affected products utilize a weak encryption scheme for remote desktop control, which may allow an attacker to obtain remote code execution of devices on the network.

pub. 2020-01-24
10.0
CVSS
CRITICAL
CVE-2019-16649

On Supermicro H11, H12, M11, X9, X10, and X11 products, a combination of encryption and authentication problems in the virtual media service allows capture of BMC credentials and data transferred over virtual media devices. Attackers can use captured credentials to connect virtual USB devices to the server managed by the BMC.

pub. 2019-09-21
10.0
CVSS
HIGH
CVE-2014-9199

The Clorius Controls Java web client before 01.00.0009g allows remote attackers to discover credentials by sniffing the network for cleartext-equivalent traffic.

pub. 2015-01-17
9.8
CVSS
CRITICAL
CVE-2022-45141

Since the Windows Kerberos RC4-HMAC Elevation of Privilege Vulnerability was disclosed by Microsoft on Nov 8 2022 and per RFC8429 it is assumed that rc4-hmac is weak, Vulnerable Samba Active Directory DCs will issue rc4-hmac encrypted tickets despite the target server supporting better encryption (eg aes256-cts-hmac-sha1-96).

pub. 2023-03-06
9.8
CVSS
CRITICAL
CVE-2022-24116

Certain General Electric Renewable Energy products have inadequate encryption strength. This affects iNET and iNET II before 8.3.0.

pub. 2022-12-26
9.8
CVSS
CRITICAL
CVE-2022-3273

Allocation of Resources Without Limits or Throttling in GitHub repository ikus060/rdiffweb prior to 2.5.0a4.

pub. 2022-10-06
9.8
CVSS
CRITICAL
CVE-2022-36555

Hytec Inter HWL-2511-SS v1.05 and below implements a SHA512crypt hash for the root account which can be easily cracked via a brute-force attack.

pub. 2022-08-29
9.8
CVSS
CRITICAL
CVE-2022-30285

In Quest KACE Systems Management Appliance (SMA) through 12.0, a hash collision is possible during authentication. This may allow authentication with invalid credentials.

pub. 2022-08-02
9.8
CVSS
CRITICAL
CVE-2021-42216

A Broken or Risky Cryptographic Algorithm exists in AnonAddy 0.8.5 via VerificationController.php.

pub. 2021-12-15
9.8
CVSS
CRITICAL
CVE-2020-14517

Protocol encryption can be easily broken for CodeMeter (All versions prior to 6.90 are affected, including Version 6.90 or newer only if CodeMeter Runtime is running as server) and the server accepts external connections, which may allow an attacker to remotely communicate with the CodeMeter API.

pub. 2020-09-16
9.8
CVSS
CRITICAL
CVE-2020-10275

The access tokens for the REST API are directly derived from the publicly available default credentials for the web interface. Given a USERNAME and a PASSWORD, the token string is generated directly with base64(USERNAME:sha256(PASSWORD)). An unauthorized attacker inside the network can use the default credentials to compute the token and interact with the REST API to exfiltrate, infiltrate or delete data.

pub. 2020-06-24
9.8
CVSS
CRITICAL
CVE-2013-7287

MobileIron VSP < 5.9.1 and Sentry < 5.0 has an insecure encryption scheme.

pub. 2020-02-13
9.8
CVSS
CRITICAL
CVE-2013-2166

python-keystoneclient version 0.2.3 to 0.2.5 has middleware memcache encryption bypass

pub. 2019-12-10
9.8
CVSS
CRITICAL
CVE-2011-4121

The OpenSSL extension of Ruby (Git trunk) versions after 2011-09-01 up to 2011-11-03 always generated an exponent value of '1' to be used for private RSA key generation. A remote attacker could use this flaw to bypass or corrupt integrity of services, depending on strong private RSA keys generation mechanism.

pub. 2019-11-26
9.8
CVSS
CRITICAL
CVE-2019-15805

CommScope ARRIS TR4400 devices with firmware through A1.00.004-180301 are vulnerable to an authentication bypass to the administrative interface because they include the current base64 encoded password within http://192.168.1.1/login.html. Any user connected to the Wi-Fi can exploit this.

pub. 2019-08-29
9.8
CVSS
CRITICAL
CVE-2019-15806

CommScope ARRIS TR4400 devices with firmware through A1.00.004-180301 are vulnerable to an authentication bypass to the administrative interface because they include the current base64 encoded password within http://192.168.1.1/basic_sett.html. Any user connected to the Wi-Fi can exploit this.

pub. 2019-08-29
9.8
CVSS
CRITICAL
CVE-2018-20810

Session data between cluster nodes during cluster synchronization is not properly encrypted in Pulse Secure Pulse Connect Secure (PCS) 8.3RX before 8.3R2 and Pulse Policy Secure (PPS) 5.4RX before 5.4R2. This is not applicable to PCS 8.1RX, PPS 5.2RX, or stand-alone devices.

pub. 2019-06-28
9.8
CVSS
CRITICAL
CVE-2019-10907

Airsonic 10.2.1 uses Spring's default remember-me mechanism based on MD5, with a fixed key of airsonic in GlobalSecurityConfig.java. An attacker able to capture cookies might be able to trivially bruteforce offline the passwords of associated users.

pub. 2019-04-07
Showing 20 of 520 vulnerabilities
Information
ID: CWE-326
Type: Class
Vulnerabilities: 520
MITRE CWE ↗
← CWE Dictionary
CWE-326 — Inadequate Encryption Strength | CWE Dictionary | CVEbaza.pl